Using .htaccess to lock down your site and pages

View previous topic View next topic Go down

Using .htaccess to lock down your site and pages

Post by jamied_uk on 6th May 2014, 17:01

Code:
AuthType Basic
AuthName "This Area is Password Protected"
AuthUserFile /full/path/to/.htpasswd
Require valid-user

Code:
chriscoyier:$apr1$O/BJv...$vIHV9Q7ySPkw6Mv6Kd/ZE/
Ideally, the .htpasswd file will be not in a public facing directory. Put this in there:
I usually put .htpasswd files in domain- or home-folders.
eg:
/home/myusername/domains/domain.com/
or
~/var/home/

http://css-tricks.com/snippets/htaccess/password-protect-folders/



Stupid htaccess Trick: Enable File or Directory Access to Your Password-Protected Site


In this brief tutorial, we are going to enable users to access any file or directory of a site that is password-protected via htaccess. There are many reasons for wanting to employ this technique, including:

  • Share public resources from an otherwise private site
  • Enable visitors to access content during site maintenance
  • Testing and formatting of layout and design during development

As a webmaster, I have used this technique on several occasions. This trick works great for allowing access to any number of files, directories, and/or combination of both. We will begin with a generalized example, proceed with an explanatory discussion, and wrap things up with a couple of useful modifications.
A Generalized Example
Here is the basic htaccess code enabling users to access a specific directory and file on your domain:
Code:
# password protection allowing directory and file access
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user
SetEnvIf Request_URI "(path/to/directory/)$" allow
SetEnvIf Request_URI "(path/to/file\.php)$"  allow
Order allow,deny
Allow from env=allow
Satisfy any
To use this tasty little nugget, copy & paste into your site’s root (or target directory) htaccess file and edit the following parameters:

  • The phrase “
    Code:
    Restricted Area
    ” will be displayed on the password-prompt dialogue box — edit accordingly.
  • Edit the
    Code:
    AuthUserFile
    path to match that of your htaccess password file (e.g., “
    Code:
    /home/path/.htpasswd
    ”).
  • Edit the first
    Code:
    Request_URI
    path to match that of your target directory, and/or the second
    Code:
    Request_URI
    path to match that of your target file (delete either one if not needed).

Afterwards, ensure that everything is functioning properly by attempting to access both your password-protected content and newly accessible directory and/or file. To reassure yourself, try using a few free proxies (Google: “free proxy”) to access your various resources.
Discussion
So, how exactly does this fine slice of htaccess code operate? Let’s break it on down..

Code:
AuthType Basic
This line specifies the authorization type, enabling Apache to run the correct function. In this case, and in 99% of the cases I have seen, the authorization type is “Basic”.
Code:
AuthName "Restricted Area"
Here we are specifying the message that will be displayed with the password-prompt dialogue box. This is a great place to inform visitors of any publicly available content. For example, you could display something like: “Private Site – Public content available at http://domain.tld/content/”
Code:
AuthUserFile /home/path/.htpasswd
In this line, we are specifying the location of the user authentication file. This file should not be available via the Internet (i.e., place in a directory above
Code:
public_html
) because it contains the password verification.
Code:
AuthGroupFile /dev/null
Here we are specifying the location of the group authorization file, if any. In this example, because we are not authorizing any groups, we specify a “null” value.
Code:
Require valid-user
This line instructs Apache to implement the password protection, essentially saying, “require a valid password” before allowing access.
Code:
SetEnvIf Request_URI "(path/to/directory/)$" allow
In this line, we are setting the specified URL request as an
Code:
allow
variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e.,
Code:
path/to/directory/
) with an
Code:
allow
variable.”
Code:
SetEnvIf Request_URI "(path/to/file\.php)$" allow
As in the previous line, here we are setting the specified URL request as an
Code:
allow
variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e.,
Code:
path/to/file\.php
) with an
Code:
allow
variable.”
Code:
Order allow,deny
Here we designate the order in which access parameters will be evaluated. In this case, we want to consider allowed access before denied access. Especially in this example, the order of these two parameters is critical.
Code:
Allow from env=allow
In this line, we are telling Apache to allow access to any resource associated with an
Code:
allow
variable.
Code:
Satisfy any
Finally, we wrap things up by instructing Apache to apply the directives for any condition in which the specified parameters have been satisfied Wink
Some tweaks and modifications..
Let’s take a look at a couple of potentially useful modifications..
Allow access to multiple site resources
To allow public user access to more resources, set additional
Code:
allow
variables:
Code:
# password protection allowing multiple resources
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "(path/to/directory_01/)$"         allow
SetEnvIf Request_URI "(path/to/directory_02/)$"         allow
SetEnvIf Request_URI "(path/to/file\.php)$"             allow
SetEnvIf Request_URI "(path/to/file\.html)$"            allow
SetEnvIf Request_URI "(path/to/another/resource/)$"     allow
SetEnvIf Request_URI "(path/to/yet/another/resource/)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
Of course, you will want to customize this code to reflect the various resources for which you would like to allow public access.
Allow webmaster and other sites open access to entire site
Here’s the scene: you have the entire site password-protected via htaccess. You also have allowed open, public access to various site resources, directories, etc. Now, what if you also want to provide unrestricted access to the entire domain for certain, key individuals and sites? Easy, just use this lil’ chunk of htaccess goodness:
Code:
# password protection allowing multiple resources
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "(path/to/directory_01/)$"         allow
SetEnvIf Request_URI "(path/to/directory_02/)$"         allow
SetEnvIf Request_URI "(path/to/file\.php)$"             allow
SetEnvIf Request_URI "(path/to/file\.html)$"            allow
SetEnvIf Request_URI "(path/to/another/resource/)$"     allow
SetEnvIf Request_URI "(path/to/yet/another/resource/)$" allow
Order allow,deny
Allow from env=allow
# allow open access to entire site for select ips and sites
Allow from 777.777.77.7
Allow from 888.888.88.8
Allow from 999.999.99.9
Allow from domains.tld
Allow from website.tld
Allow from example.tld
Satisfy any




http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/
avatar
jamied_uk
Admin

Posts : 2243
Join date : 2010-05-09
Age : 34
Location : UK

http://address-shortner.co.uk

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum